b'Audit Report, \xe2\x80\x9cNASA\xe2\x80\x99s Performance Measure Data Under the Federal Information\nSecurity Management Act\xe2\x80\x9d (IG-05-025, September 16, 2005)\n\nThe NASA Office of Inspector General completed an audit of NASA performance\nmeasures reported under the Federal Information Security Management Act of 2002\n(FISMA). We performed this audit to determine whether certain information technology\n(IT) security performance measures complied with National Institute of Standards and\nTechnology (NIST) guidance and NASA Procedural Requirements for IT security. We\nalso assessed the accuracy of data NASA reported on those performance measures in the\nfirst quarter Fiscal Year (FY) 2004 FISMA Report to the Office of Management and\nBudget (OMB).\n\nWe noted several significant internal control weaknesses associated with the certification\nof IT systems, IT risk assessments, IT system security control testing and evaluation, and\nIT contingency plan testing. Specifically, the NASA certification process did not ensure\nthat security controls on IT systems were tested, evaluated, and certified by an\nindependent party. NASA\xe2\x80\x99s IT risk assessment policies and procedures were\ninconsistently implemented from Center to Center and NASA\xe2\x80\x99s annual security control\ntesting and evaluation of IT systems were not conducted in accordance with Federal\nrequirements. Also, we identified IT system contingency plans that were not tested in\naccordance with Federal guidance. NASA concurred with our recommendations and\neither took or was planning to take appropriate corrective actions.\n\nThe report contains NASA Information Technology/Internal Systems Data that is not\nroutinely released under the Freedom of Information Act (FOIA). To submit a FOIA\nrequest, see the online guide.\n\x0c'